How do I configure sudoers, fstab, user logons for a domain joined Linux instance at launch? Can I use userdata?

Question

Hi all,
I've been trying to streamline my process for joining Linux instances to my domain. As such, there are a number of configurations that I still need to take care of manually that I would like to automate it possible. This includes the folowing:

1. Restrict logins to the AWS Delegated Administrators group from my Directory Service implementation
2. Add the AWS Delegated Administrators group to the sudoers file (is there a better way to achieve this? Should use the /etc/sudoers.d folder instead? This looks like a cleaner way to define permissions but I could not find any documentation on how to configure this folder.
3. Install cifs-utils
4. Configure the logon banner
5. In some cases, configure the fstab file

I think 3, 4, and 5 are easily done through the userdata file, however, I'm not clear on how to configure all of the necessary files for 1 and 2. For example, to properly allow the AWS Delegated Administrators group to log in to the system, the following files need to be configured:
* /etc/pam.d/login
* /etc/pam.d/sshd
* /etc/security/access.conf

Documentation I found showed that I needed to update the pam.d files to allow for spaces in a logon group/username.

I imagine these are fairly basic configuration steps for most anyone setting up a domain joined Linux instance in their environment so it would be nice to see this standardized, perhaps in an SSM document that can also be run, or if dynamic options can be set during the instance launch process when selecting domain join, that would be great.

Accepted Answer

Hi!

What you described can be achieved with user-data, it might be tricky and a not so stylish script, but possible.

Now, If you don't mind I would like to recommend the Use of Packer https://www.packer.io/

Why? Well with packer you can build what is often called Golden AMI, such AMI can be pushed and used when you deploy your instance. Now setting up the configuration management can be achieved using what Packers call "Provisioners", below you will see an example of each provisioner that might be interesting for you, and if you really want a neat way to build the AMI with the required configuration, you can use Ansible as provisioner and define your tasks in Ansible Playbooks or Roles.

```
{
  "variables": {
    "aws_access_key": "{{env `AWS_ACCESS_KEY_ID`}}",
    "aws_secret_key": "{{env `AWS_SECRET_ACCESS_KEY`}}",
    "region": "us-east-1"
  },
  "builders": [
    {
      "access_key": "{{user `aws_access_key`}}",
      "secret_key": "{{user `aws_secret_key`}}",
      "type": "amazon-ebs",
      "profile": "default",
      "region": "{{user `region`}}",
      "instance_type": "t2.micro",
      "ssh_username": "centos",
      "source_ami" : "ami-0affd4508a5d2481b",
      "ami_name": "centos-aws-demo-{{timestamp}}",
      "ami_description":"CentOS Linux 7 x86_64 HVM EBS ENA 2002_01 with docker",
      "run_tags" : {
        "Name" : "packer-builder-docker",
        "Tool" : "Packer",
        "Author" : "DavidCaballero"
      },
      "tags": {
        "Name": "centos-aws-demo"
      }
    }
  ],
  "provisioners": [
    {
      "type": "file",
      "source": "./welcome.txt",
      "destination": "/home/centos/"
    },
    {
      "type": "shell",
      "inline": ["ls -al /home/centos", "cat /home/centos/welcome.txt"]
    },
    {
      "type": "shell",
      "script": "./docker_install.sh"
    },
    {
      "type": "ansible",
      "playbook_file": "./playbooks/hostname.yml"
    }
  ]
}

```

How do I configure sudoers, fstab, user logons for a domain joined Linux instance at launch? Can I use userdata?

Relevant content